<?php

function userlogin() {
  global $CURUSER, $TABLE_PREFIX, $err_msg_install, $btit_settings, $update_interval, $THIS_BASEPATH;
  unset($GLOBALS['CURUSER']);

    session_name("xbtit");
    session_start();

  $ip = getip(); // $_SERVER["REMOTE_ADDR"];
  $nip = ip2long($ip);
  $res = get_result("SELECT * FROM {$TABLE_PREFIX}bannedip WHERE INET_ATON('".$ip."') >= first AND INET_ATON('".$ip."') <= last LIMIT 1;", true, $btit_settings['cache_duration']);
  if (count($res) > 0) {
    header('HTTP/1.0 403 Forbidden');
?>
<html><body><h1>403 Forbidden</h1>Unauthorized IP address.</body></html>
<?php
        die();
    }

    if(isset($_SESSION["CURUSER"]) && isset($_SESSION["CURUSER_EXPIRE"]))
    {
        if($_SESSION["CURUSER_EXPIRE"]>time())
        {
            $GLOBALS["CURUSER"]=$_SESSION["CURUSER"];
            return;
        }
        else
        {
            unset($_SESSION["CURUSER"]);
            unset($_SESSION["CURUSER_EXPIRE"]);
        }
    }

    if ($btit_settings['xbtt_use'])
  {
    $udownloaded = "u.downloaded+IFNULL(x.downloaded,0)";
    $uuploaded = "u.uploaded+IFNULL(x.uploaded,0)";
    $utables = "{$TABLE_PREFIX}users u LEFT JOIN xbt_users x ON x.uid=u.id";
  }
  else
  {
    $udownloaded = "u.downloaded";
    $uuploaded = "u.uploaded";
    $utables = "{$TABLE_PREFIX}users u";
  }

// guest   
    if($btit_settings["secsui_cookie_type"]==1)
        $id = (isset($_COOKIE["uid"]) && is_numeric($_COOKIE["uid"]) && $_COOKIE["uid"]>1) ? $id=(int)0+$_COOKIE["uid"] : $id=1;
    elseif($btit_settings["secsui_cookie_type"]==2)
    {
        $user_cookie_name=((isset($btit_settings["secsui_cookie_name"]) && !empty($btit_settings["secsui_cookie_name"]))?$btit_settings["secsui_cookie_name"]:"xbtitLoginCookie");
        if(isset($_COOKIE[$user_cookie_name]))
        {
            $user_cookie=unserialize($_COOKIE[$user_cookie_name]);
            $id=((is_numeric($user_cookie["id"]) && $user_cookie["id"]>1)?(int)0+$user_cookie["id"]:$id=1);
        }
        else
            $id=1;
    }
    elseif($btit_settings["secsui_cookie_type"]==3)
    {
        if(isset($_SESSION["login_cookie"]))
        {
            $user_cookie=unserialize($_SESSION["login_cookie"]);
            $id=((is_numeric($user_cookie["id"]) && $user_cookie["id"]>1)?(int)0+$user_cookie["id"]:$id=1);
        }
        else
            $id=1;
    }
    else
        $id=1;  

  if($id > 1)
    {
        $res = do_sqlquery("SELECT u.warn, u.seedbonus, u.salt,  u.pass_type, u.lip, u.cip, $udownloaded as downloaded, $uuploaded as uploaded, u.smf_fid, u.ipb_fid, u.topicsperpage, u.postsperpage,u.torrentsperpage, u.flag, u.avatar, UNIX_TIMESTAMP(u.lastconnect) AS lastconnect, UNIX_TIMESTAMP(u.joined) AS joined, u.id as uid, u.username, u.password, u.random, u.email, u.language, u.style, u.time_offset, ul.* FROM $utables INNER JOIN {$TABLE_PREFIX}users_level ul ON u.id_level=ul.id WHERE u.id = $id LIMIT 1;", true);
        $row = mysql_fetch_assoc($res);

        if($btit_settings["secsui_cookie_type"]==1)
        {
            if(md5($row["random"].$row["password"].$row["random"])!=$_COOKIE["pass"])
                $id=1;
        }
        elseif($btit_settings["secsui_cookie_type"]==2  || $btit_settings["secsui_cookie_type"]==3)
        {
            $cookie_items=explode(",", $btit_settings["secsui_cookie_items"]);
            $cookie_string="";

            foreach($cookie_items as $ci_value)
            {
                $ci_exp=explode("-",$ci_value);
                if($ci_exp[0]==8)
                {
                    $ci_exp2=explode("[+]", $ci_exp[1]);
                    if($ci_exp2[0]==1)
                    {
                        $ip_parts=explode(".", getip());

                        if($ci_exp2[1]==1)
                            $cookie_string.=$ip_parts[0]."-";
                        if($ci_exp2[1]==2)
                            $cookie_string.=$ip_parts[1]."-";
                        if($ci_exp2[1]==3)
                            $cookie_string.=$ip_parts[2]."-";
                        if($ci_exp2[1]==4)
                            $cookie_string.=$ip_parts[3]."-";
                        if($ci_exp2[1]==5)
                            $cookie_string.=$ip_parts[0].".".$ip_parts[1]."-";
                        if($ci_exp2[1]==6)
                            $cookie_string.=$ip_parts[1].".".$ip_parts[2]."-";
                        if($ci_exp2[1]==7)
                            $cookie_string.=$ip_parts[2].".".$ip_parts[3]."-";
                        if($ci_exp2[1]==8)
                            $cookie_string.=$ip_parts[0].".".$ip_parts[2]."-";
                        if($ci_exp2[1]==9)
                            $cookie_string.=$ip_parts[0].".".$ip_parts[3]."-";
                        if($ci_exp2[1]==10)
                            $cookie_string.=$ip_parts[1].".".$ip_parts[3]."-";
                        if($ci_exp2[1]==11)
                            $cookie_string.=$ip_parts[0].".".$ip_parts[1].".".$ip_parts[2]."-";
                        if($ci_exp2[1]==12)
                            $cookie_string.=$ip_parts[1].".".$ip_parts[2].".".$ip_parts[3]."-";
                        if($ci_exp2[1]==13)
                            $cookie_string.=$ip_parts[0].".".$ip_parts[1].".".$ip_parts[2].".".$ip_parts[3]."-";

                        unset($ci_exp2);
                    }
                }
                else
                {
                    if($ci_exp[0]==1 && $ci_exp[1]==1)
                    {
                        $cookie_string.=$row["uid"]."-";
                    }
                    if($ci_exp[0]==2 && $ci_exp[1]==1)
                    {
                        $cookie_string.=$row["password"]."-";
                    }
                    if($ci_exp[0]==3 && $ci_exp[1]==1)
                    {
                        $cookie_string.=$row["random"]."-";
                    }
                    if($ci_exp[0]==4 && $ci_exp[1]==1)
                    {
                        $cookie_string.=strtolower($row["username"])."-";
                    }
                    if($ci_exp[0]==5 && $ci_exp[1]==1)
                    {
                        $cookie_string.=$row["salt"]."-";
                    }
                    if($ci_exp[0]==6 && $ci_exp[1]==1)
                    {
                        $cookie_string.=$_SERVER["HTTP_USER_AGENT"]."-";
                    }
                    if($ci_exp[0]==7 && $ci_exp[1]==1)
                    {
                        $cookie_string.=$_SERVER["HTTP_ACCEPT_LANGUAGE"]."-";
                    }
                }
                unset($ci_exp);
            }
            $final_cookie["hash"]=sha1(trim($cookie_string, "-"));

            if($final_cookie["hash"]!=$user_cookie["hash"])
                $id=1;
        }
    }
    if($id==1)
    {
        $res = do_sqlquery("SELECT u.warn, u.seedbonus, u.salt, u.pass_type, u.lip, u.cip, $udownloaded as downloaded, $uuploaded as uploaded, u.smf_fid, u.ipb_fid, u.topicsperpage, u.postsperpage, u.torrentsperpage, u.flag, u.avatar, UNIX_TIMESTAMP(u.lastconnect) AS lastconnect, UNIX_TIMESTAMP(u.joined) AS joined, u.id as uid, u.username, u.password, u.random, u.email, u.language, u.style, u.time_offset, ul.* FROM $utables INNER JOIN {$TABLE_PREFIX}users_level ul ON u.id_level=ul.id WHERE u.id = 1 LIMIT 1;", true);
        $row = mysql_fetch_assoc($res);
    }

  // CHECK FOR INSTALLATION FOLDER WITHOUT INSTALL.ME
  if ($row['id_level'] == 8 && (file_exists('install.php') || file_exists('upgrade.php'))) // only owner level
    $err_msg_install = '<div align="center" style="color:red; font-size:12pt; font-weight: bold;">SECURITY WARNING: Delete install.php & upgrade.php!</div>';
  else
    $err_msg_install='';

    $_SESSION["CURUSER"]= $row;
    $_SESSION["CURUSER_EXPIRE"] = (time()+$btit_settings["cache_duration"]);
    $GLOBALS['CURUSER'] = $row;

    mysql_free_result($res);
    unset($row);
}
?>
